Ticket 5338: Race conditions in key rotation

Jeffrey Altman jaltman at secure-endpoints.com
Mon Jun 23 18:13:31 EDT 2008

Nicolas Williams wrote:
> On Mon, Jun 23, 2008 at 04:09:56PM -0400, Jeffrey Altman wrote:
>> I am going to write a patch to introduce fail over to the master
>> for all tgs requests.   I will add it to ticket 5338 and it can
>> then be evaluated for inclusion.
> Note: failover needs to not happen if a master is not defined...
> I know, it seems obvious...
> But also, it may be a good idea to make it optional, or to make failover
> be more of a "try another KDC" option.
> The client's behaviour shouldn't prevent/complicate the possibility of
> having kadmind instances running on all the KDCs nor multi-master
> replication.
In MIT Kerberos a KDC server running kadmind is not necessarily a 
master.  The master
notion is only defined if the master_kdc is explicitly configured.  If 
"master_kdc" is not
defined, then the failover to master functionality is not used.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20080623/8a2ad2b0/attachment.bin

More information about the krbdev mailing list